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Renew APNs Certificate 


About this guide 
About Qualys 


About this guide 


This user guide helps to get started with and use Secure Enterprise Mobility (SEM) with 
Cloud Platform. 


About Qualys 


Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of cloud-based security and 
compliance solutions. The Qualys Cloud Platform and its integrated apps help businesses 
simplify security operations and lower the cost of compliance by delivering critical 
security intelligence on demand and automating the full spectrum of auditing, 
compliance and protection for IT systems and web applications. 


Founded in 1999, Qualys has established strategic partnerships with leading managed 
service providers and consulting organizations including Accenture, BT, Cognizant 
Technology Solutions, Deutsche Telekom, Fujitsu, HCL, HP Enterprise, IBM, Infosys, NTT, 
Optiv, SecureWorks, Tata Communications, Verizon and Wipro. The company is also a 
founding member of the Cloud Security Alliance (CSA). For more information, please visit 
www.qualys.com. 


Qualys Support 


Qualys is committed to providing you with the most thorough support. Through online 
documentation, telephone help, and direct email support, Qualys ensures that your 
questions will be answered in the fastest time possible. We support you 7 days a week, 
24 hours a day. Access support information at www.qualys.com/support/. 


Get Started 


Get Started 


Welcome to the Qualys Secure Enterprise Mobility (SEM) User Guide. Qualys SEM offers 
you a cloud-based solution to help you secure, monitor, and manage mobile devices 
(including smartphones and tablets) across your enterprise. 


Before starting, let’s understand the different users mentioned in this document: 


Admin User - Admin user configures all necessary settings required to enroll the mobile 
devices, creates SEM users, and monitors various dashboards and reports. 


SEM User - Users added to the SEM module/application are considered as SEM Users. SEM 
Users are holders/owners of the mobile devices. 


With SEM, you can: 


- Compressive visibility into mobile devices details, installed apps, and configurations, 
even if they are not on VPN or network, 


- Real-time visibility into vulnerabilities and critical device settings along with monitoring 
for potentially harmful applications, 


- Automatic correlation of vulnerabilities with apps and Android patches, and 


- Orchestration of appropriate response actions such as deploying patches from Google 
Play Store or uninstalling vulnerable apps. 


We'll help you get started quickly! 


Supported Platforms 

- Android (Version 4.4.2 and higher) 
- 10S (Version 9.0 and higher) 

- iPadOS (Version 13.1 and higher) 


What are the steps? 


1) Setup End User License Agreement (EULA). For information on setting up EULA, refer to 
EULA Management. (This step is optional) 


2) Configure APNs certificates if your SEM users have iOS devices to enroll. For more 
information, refer to APNs Certificates. 


3) Create SEM users. For detailed steps, refer to Creating a New SEM User. If you add an 
email address while creating an SEM user, the user will receive an email that contains the 
credentials and enrollment details. SEM users have the Bulk User Upload option to add 
multiple users in one go! 


Get Started 


4) Now, SEM users can start enrolling their mobile devices. For more information, refer to 
Device Enrollment. If devices are already enrolled in any EMM, configure the ‘Enroll device 
without SEM EMM' for iOS and Android, i.e., select the 'All iOS devices’ and 'All Android 
devices’ check-boxes. For more details, refer to Enrollment Settings. You can auto-enroll 
the devices through an automated enrollment process. 


5) Monitor mobile devices inventory and its security posture using Dashboards and 
Reports once SEM users enroll their devices. 


6) If the devices are enrolled in Intune, then configure Intune Connector to sync the 
enrolled devices in SEM agentless. 


Configurations 
EULA Management 


Configurations 


This section helps you to create and manage EULA. It also helps you to configure APNs 
certificates. This section also helps you configure organization-level settings, such as 
organization information, enrollment settings, application settings, and sync settings. 


EULA Management 


Your End User License Agreement (EULA) may include the policies and declarations 
related to the asset management, information access, privacy, Acceptable Use Policy 
(AUP), reimbursement of expenses, HR policies, non-disclosure of corporate data, and so 
on. 


Typically, the organization’s legal team provides EULA. 


Customer's use of the Cloud Services will result in Personal Identifiable Information being 
processed by Qualys. Customer acts as a data controller, and Qualys acts as a Data 
Processor. It is the customers’ obligation, and Qualys shall not have any obligation, to 
gather the appropriate consent from every data subject from whom the customer is 
gathering Personally Identifiable Information through the Cloud Services. The customer is 
required to enter into an end-user agreement with each data subject that informs the 
subject of the data gathered and the use that customer shall make of such data. Qualys 
offers provision to define such end user agreement and shall not be deemed to have 
advised customer regarding the appropriateness or completeness of such end-user 
agreement. 


Set up the EULA from the Configuration tab. We provide you with a provision to add the 
End User License Agreement text. This step is optional. If EULA is configured, the asset 
user must accept the EULA before enrolling assets. 


Qualys allows you to configure your own EULA text based on your organization's needs 
and policies. When a EULA is associated with an SEM user, the user must accept the EULA 
at the time of device enrollment. 


What are the steps to configure a new EULA? 


1) Click the help icon (question mark icon) and then click Get Started. 
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2) Click Configure End User License Agreement to open the Edit EULA page. Provide the 
EULA text and then click Save. 


Configurations 
EULA Management 


You can also access the EULA from Configurations > EULA. You can edit the EULA text 
using the Edit action from the quick action menu. 


Configurations 
APNs Certificates 


APNs Certificates 


This section applies only to the iOS devices. For managing 10S devices, you must obtain 
Apple Push Notification Service (APNs) certificate for secure communication from Qualys 
SEM server with the Apple devices. Qualys SEM helps you generate and renew APNs 
certificates. 


What is an APNs Certificate? 


SEM uses an APNs certificate to send notifications to the Apple devices when 
communication is initiated by the administrator or the server for requesting information 
from the devices or Apps or policies are published on the devices. No data is sent through 
the APNs service, only the notification. 


Qualys SEM Server Apple APN Server 


<i e, Push notification a 
Wm es a 
sc 


Direct communication with Qualys SEM Server 


Pre-requisites to Generate the Certificate 


- An Apple ID. (You can create it at https://appleid.apple.com). Recommended using the 
Apple ID, which belongs to the organization. 


- Mac OS X or Windows workstation with Administrative permissions 
- Web browser (Safari, Mozilla Firefox, or Chrome are required to work with Apple’s 


website) 


Steps to Generate APNs Certificate 
1) Login to the SEM Portal at https://xxxx.apps.qualys.com. 


Configurations 
APNs Certificates 


2) Navigate to Configurations > APNs Configuration and click New. 
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Configurations APNS Configuration nearer uM meres 


Q Search for APNs. 
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Total APNs 


1-303 


DEALS APPLEID I UPLOADED VALDTILL 


Test26m Gees! @gmail.com May 26, 2021 May 26, 2022 
STATUS Latest @ UD :comaaple mgmt External: 31645 PMIST 20745 PM IST 
Active Serial # zer gåt 


d 
SE qdevtestt qdevtest@gmail.com May 04,2021 May 04,2022 


UD :com.agple mgmt External: 121007 PM IST EEN PM IST 
Serial 2 se 00 


Test02 qdevtest! @gmail.com Feb 12, 2021 Feb 28, 2021 
UID “com. aople.mamt. Externe 3:07:32 PMIST 2:58:33 PM IST 
Selz ze e Expired 311 days ago 


3) Download the Certificate Signing Request (CSR) file and save the file at a known 
location. Click Next. 
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< Configure APNs Certificate 


STEPS 1/3 
Download Request File 


You need to first generate a Certificate Signing Request (CSR) and download it. This CSR 
oe Download Request File in the process of creating the APNs Certificate from Apple Push Certificate portal. 


Create Certificate 


Upload Certificate Certificate Signing Request 


We use your organization's APNs certificate to send notifications to your iOS 


devices when information is requested from the device at intervals or on demand. 


If you do not already have a CSR file from SEM, please download it here. You will 
need this CSR to download an APNs certificate from Apple portal. 


Configurations 
APNs Certificates 


4) Click the Goto Apple Portal link to go to the Apple Push Certificate Portal 


(https://identity.apple.com/pushcert/). 
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< Configure APNs Certificate 


STEPS 2/3 


Download Request File 
Create Certificate 


3 Upload Certificate 


Create Certificate 


Name 
Provide a friendly name for your certificate. 
Apple ID 


Apple ID Note: it can be any Apple ID and need 
not be an Apple Developer Account. 


Get your APNs certificate in 3 easy steps 
* Sign in to the Apple Portal 

a 
rt 
VR, 


[4 Goto Apple Portal 


* Upload the Certificate Signing Request (CSR) 
* Download the new certificate 


For more information download the APNs certificate 
generation guide. Learn More 


Cancel 


we 


5) Log in using your corporate Apple ID and password. Click Create a Certificate. 


~ Store Mac iPod 


Apple Push Certificates Portal 


Get Started 


Notification Service and your Apple devices. 


eate a Certificate 


FAQ 


Learn more about Mobile Device Management 
What about OS X Server? 


Shop the Apple Online Store (}-800-MY-APPLE). visit an Apple Retail Store, or find a reseller 


Copyright © 2012 Apple inc. All rights reserved. Terms of Use Privacy Policy 


iPhone 


Create a push certificate that enables your third-party server to work with the Apple Push 


iPad iTunes Support a 


manmays@gmail.com 


Apple Info Site Map Hot News RSS Feeds 


Contact Us = 
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Configurations 
APNs Certificates 


6) Select I have read and agree to these terms and conditions check-box, and then click 
Accept. 


iPhone 


Apple Push Certificates Portal manmarseomaicom D 


Terms of Use 


PLEASE READ THE FOLLOWING LICENSE AGREEMENT TERMS AND CONDITIONS CAREFULLY BEFORE m 
DOWNLOADING OR USING THE APPLE CERTIFICATES. THESE TERMS AND CONDITIONS CONSTITUTE A 
LEGAL AGREEMENT BETWEEN YOUR COMPANY/ORGANIZATION AND APPLE. 


MDM Certificate Agreement 
(for companies deploying mobile device management for iOS products) 


Purpose 

Your company, organization or educational institution would like to use the MDM Certificates (as defined 
below) to enable You to either deploy a third-party commercial, enterprise server software product for mobile 
device management of iOS products, or deploy Your own internal mobile device management for iOS 
products within Your company, organization or educational institution. Apple is willing to grant You a limited 
license to use the MDM Certificates as permitted herein on the terms and conditions set forth in this 
Agreement. 


1. Accepting this Agreement; Definitions 

1.1 Acceptance 

In order to use the MDM Certificates and related services, You must first agree to this License Agreement. If 
You do not or cannot agree to this License Agreement, You are not permitted to use the MDM Certificates or 
related services. Do not download or use the MDM Certificates or any related services in that case 


-|I have read and agree to these terms and conditions. 


Printable Version > 


Shop the Apple Online Store (1-S00-MY-APPLE), visit an Apple Retail Store, or find a reseller. Apple info Site Map Hot News RSS Feeds Contact Us fe 


Copyright © 2012 Apple inc. All rights reserved. Terms of Use Privacy Policy 
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Configurations 
APNs Certificates 


7) Browse to the location where you saved the Qualys_CertificateSigningRequest.txt file 
and then upload the certificate file. 


e Store Mac iPod iPhone iPad iTunes Support a 


Apple Push Certificates Portal mnmvseomaicom GED 


Create a New Push Certificate 


Upload your Certificate Signing Request signed by your third-party server 
vendor to create a new push certificate. 


Browse. 
Shop the Apple Online Store (1-800-MY-APPLE), visit an Apple Retail Store, or find a reseller. Apple Info Site Map Hot News RSS Feeds Contact Us = 
Copyright © 2012 Apple Inc. All rights reserved Terms of Use Privacy Policy 


8) In the confirmation window, download the PEM file to a known location. 


é Store Mac iPod iPhone iPad iTunes Support a 


Apple Push Certificates Portal gege 


Confirmation @ 


You have successfully created a new push certificate with the following information 
Service Mobile Device Management 


Vendor Qualys Inc 
Expiration Date Jun 12, 2020 


Manage Certificates Download 
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Configurations 
APNs Certificates 


9) Go back to your Configure APNs Certificate wizard in the Qualys portal. In the Create 
Certificate tab, enter the APNs Name and the Apple ID using which you have generated 
the PEM file and click Next. 


@ Qualys. Express 


< Configure APNs Certificate 


STEPS 2/3 
Create Certificate 


? Download Request File Name 


Create Certificate | | Provide a friendly name for your certificate. 


3 Upload Certificate 
Apple ID 
| Apple ID Note: It can be any Apple ID and need 
| | not be an Apple Developer Account. 


Get your APNs certificate in 3 easy steps 
* Sign in to the Apple Portal 
* Upload the Certificate Signing Request (CSR) g 
* Download the new certificate CS 


For more information download the APNs certificate 


a 
generation guide. Learn More [Z Goto apple Portal 


Cancel Previous 


STEPS 3/3 
Upload Certificate 


r Upload APNs certificate you downloaded from Apple push certificate portal. 
Download Request File 


Create Certificate 
Upload the certificate file (.pem) that you downloaded from the Apple Portal 


Upload Certificate FS 1 
Ia) Drop file here to attach or browse 
1 file 
ven MDM_ Qualys Inc._Certificate.pem e 
22/Dec/2020 8:51PM 2KB 


11) Enter the Qualys portal password and Click Save. 
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Configurations 
Organization Information 


The APNs Configuration tab lists the APNs certificate, and you can start using it to 
manage your Apple devices. The validity of the APNs certificate is 365 days, so you must 
renew the APNs Certificate before expiring the certificate. To know more, refer to Renew 
APNs Certificate. 


Organization Information 


This section helps you configure the organization-level information. The sender’s address 
helps to send out any communication or notification from the organization. 


Settings 

This section helps you to configure various enrollment settings, application settings, and 
sync settings. 

Enrollment Settings 


Enrollment details are required to enroll the SEM user device, including ownership of the 
device, asset communication mode, option to provide a mobile number, and device 
enrollment without SEM EMM. 


Settings 
Enrollment Settings 


Default Ownership of Assets 


User Prompt 


Default Asset Communication Mode 


@ Push Poll 


Mandate Mobile Number 


@ No Yes 


Enroll devices without SEM EMM 


All iOS Devices 


All Android Devices 


For Android devices, you need to choose asset communication mode (Push and Poll) using 
the radio button. 


- Push: Qualys server initiates communication with the device when required. 


- Poll: Device will communicate to the Qualys server after the specified regular interval. 
You can set the polling intervals in Sync Settings. 


If you need to enroll devices without SEM EMM, select the appropriate check-box. You can 
enroll all iOS devices or Android devices without SEM EMM. 
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Configurations 
Organization Information 


Note: Please select the check-boxes if your organization devices are already enrolled in 
any EMM to enroll iOS devices or Android devices without SEM EMM. 
Application Settings 


This setting allows you to set a default value for the Maximum Enrollable Assets field 
while creating SEM users. 


Application Settings 


Default Maximum Enrollable Assets 


10 


Sync Settings 


These settings allow you to define various sync intervals like polling interval, asset sync 
interval, and heartbeat interval. 


Sync Settings 


Recommended values are shown by default. Lowering any of these values will increase battery usage and 
data consumption on your assets. 


Polling Interval (in Minutes) * 


15 


Asset Sync Interval (in Hours) * 


24 


Heartbeat Interval (in Hours) * 


4 


- Polling Interval (in Minutes): If the device is in poll mode, it will communicate with the 
server at the time interval as per configuration. 


- Asset Sync Interval (in Hours): Device regularly sends the asset update information such 
as newly installed apps, changes in settings, and so on, to the Qualys server as per the 
intervals set here. 


- Heartbeat Interval (in Hours): Device regularly communicates to the Qualys server 
notifying its status as per interval set here. 
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Configurations 
Connector 


Connector 


Configure the connector to sync the devices enrolled in EMM/MDM solution in SEM. For 
now, you can sync only those devices that are enrolled in Intune EMM using a connector. 


Following are the steps to configure a new connector: 


1) Navigate to the Configurations > Connectors sub-tab and click Create. 
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Configurations r De TE O ETEO Connectors 


2) Enter Name and Description in Basic Details and click Next. 


< Create Connector 


STEPS 1/3 
Basic Details 
OO Basic Details 
Name" 
2 Authentication Details r 
System 
3 Review and Confirm 
Description 
E 
250/250 characters remaining 
Cancel Next 


3) Enter Authentication Details. 
Mark device as De-enrolled if the device is de-enrolled from the Intune. 


Note: Polling frequency can be set to a minimum of 1 hour, which means, after every one 
hour sync will try to fetch all the devices that are enrolled against the mentioned Tenant 
ID. 


4) Click Next. 
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5) Once the entered details are reviewed and confirmed, click Configure. 


Configurations 
Connector 


< Create Connector 


STEPS 3/3 | 
Review and Confirm 


Basic Details 
Authentication Details A Basic Details 


Review and Confirm 


A Authentication Details 


Tenant ID 
23 


Mark device as De-enrolled if devices are de-enrolled from intune. 
Yes 


Polling Frequency 


Hours 
4 


Cance! | [ Previous 


Description 


Minutes 
D 


You will be redirected to the Microsoft portal, where all the required permissions are 


mentioned. 


6) Click Accept. 


The newly created connector will be listed under the Configurations > Connectors sub- 


tab. 


Secure Enterprise Mobility v 


STATUS 


Enabled 


NAME 


HE intuneConnector 


DASHBOARD INVENTORY VULNERABILITIES MONITOR POLICY USERS REPORTS CONFIGURATIONS 


Configurations IT EEN Connectors 
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1-10f1 


LAST SYNCED 


Processing 
Jan 07, 2022 10:53:08 AM IST 


Configurations 
Connector 


Wait for a while to allow the devices to sync with the new connector. You can also sync 


manually by selecting the drop-down icon next to the required connector and clicking 
Run. 
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Configurations Meme Connectors 


STATUS NAME TENANTID ASSETS 


l-1of 1 


LAST SYNCED 


Enabled EE IntuneConnector 5 


Processing 
Quick Actions v Jan 07, 202 10 


07, 2022 10:53:08 AM IST 
View Details 
Edit 
Delete 


Run 


Other actions possible for the existing connectors are View Details, Edit, and Delete. 
The added devices can be searched in the Inventory sub-tab. 


Note: These devices are enrolled without SEM EMM. 


Auto-merging of Cloud Agent Assets with Intune Synced Assets 


Once a connector is configured, the assets enrolled in EMM/MDM solution are 
automatically synced with Intune assets. It is optional if you want to install the Cloud 


Agent on the synced assets. Installing the Cloud Agent lets you leverage the benefits for 
both the Cloud Agent and Intune. 


Once the agent is enrolled, the Cloud Agent asset gets automatically merged into the 
respective Intune synced asset. Once itis merged, only one asset entity appears on the UI. 
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Configurations 
Connector 


In the Asset Details window, you can confirm the following: 


- If the agent is installed on the asset or not, by referring to the Qualys Cloud Agent 
Installed field. If the agent is installed on the asset then the Qualys Cloud Agent Installed 
field displays Yes. 


- If the asset is enrolled with Intune or not, by referring to the Source field. If the asset is 
synced through Intune then the Source field displays Intune. 


< Asset Details: 


83 2031 13 29 PM Android Google 


Y INVENTORY 
Asset Summary 
System Information 
Network Information 


Installed Applications 


Y COMPLIANCE 


Controls Evaluated 


Y SECURITY 


Vulnerabilities 


Y MANAGEMENT 
Actions 


Logs 


Asset Summary 


-8_3_2021_12_29_PM_Android_Google 


E? 
IR Last Seen:Apr 26, 2022 7:4138 AMIST (3hours ago) 


Status: Enrolled 


Identification 
Mode 
Ownership 
IMEI 
MAC Address: 
up 
Asset ID 
Username 
GSF ID 


Envolled with SEM EMM 


Active 


Corporate- Owned 


440551e1-19cf-4812-9907-b04518cc1e24 


474305070 


No 


Qualys Cloud Agent installed 


Source: 


Yes 


Intune 


Security Posture 
Vulnerable: 


Encryption: 


Yes 


Encryption Complete 
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Last Location 


Location unknown. 
Last Seen: 3 hours ago 07:41:38 AM 


Tags 


NoAssetGroup NoHostname NoNetBIOSName SEM OS:Android Type: Mobile Device Security Agents 


Assets with no Vuln Assetswith no..  OS:Androki (Al) Type: Mobile.. Type: Mobile.. decom 


SEM User Management 
Creating a New SEM User 


SEM User Management 


SEM users are the users who enroll their devices as per email received from the Admin 
User. The email contains detailed steps to enroll the mobile device. To enroll the device, 
refer to Device Enrollment. 


SEM offers organizations flexible options to manage and organize SEM user accounts. The 
SEM users is the device owners and are different from Portal users. 


Navigate to the Users tab to see the list of existing users. 
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1-20 of 20 
Total Users 


STATUS UR ASSETS MODIREDON TAGS 
Active userTag 0 Jan 06, 2022 TestTagi$@o 
STATUS 1251:50PM IST 
in 2 Active AkashM "l Jan 05,2022 SEMPO3 
Inactive 2 11:32:27 AM IST 3 
TAGS Active Mise $ 0 Jan 04,2022 ‘SEMPO3 
SEMP_04 My User6 9:59:22 AMIST 
sawa Active MyUser_7 0 Jan 04, 2022 SEMPO3 


Lorem Ipsum iss. 
SEMPOI 


MyUser7 94520 AMIST 


Creating a New SEM User 


You'll be able to create a new SEM user with the following steps: 


1) Navigate to the Users tab and click Create User from the New drop-down menu. 
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20 


Total Users 


STATUS mm ASSETS MODIFIED ON 


Import from CSV 
Active use 0 Jan 06, 2022 
STATUS 12:51:50 PM IST 
Active 18 Active AkashM 2: Jan 05, 2022 
Inactive 2 11:33:27 AM IST 
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SEM User Management 
Creating a New SEM User 


2) On the Add User page, enter the user information in the Personal Information section 
and then click Next. 


© Qualys. Express 


< Add User 


STEPS 1/2 
Personal Information 
@ Personal information GE 


John 


Middle Name Last Name 
er Configuration 


Username 
Username available 


jdoe_q 


Email ID 


jdoe@qualys.com 


Contact Number 


876234651910288 


Cancel | Next | 


3) On the Add User page, provide the following user configurations in the User 
Configuration section. 


- EULA: Configure the EULA message you want users to read and accept. For more 
information, refer to EULA Management. EULA configuration is optional. However, if EULA 


is configured, you need to associate it with the SEM user, and the SEM user must accept 
the EULA while enrolling their device. 


- Maximum Enrollable Assets: This is the maximum number of assets that can be 


enrolled for this SEM user. The default value for maximum enrollable assets is configured 
in Application Settings. 
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SEM User Management 
Bulk User Upload 


- Status: You can create a user in the Active or Inactive state. An active user can enroll 
devices, while inactive users won't be able to enroll the devices. 
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< Add User 


STEPS 2/2 


User Configuration 


Personal Information 
EULA* 
User Configuration 


| eula11 


Maximum Enrollable Assets * 


| 200000 


Status 


@ Active Inactive 


4) Click Add, and you'll see a user in the list. 


Once you add a user with a valid email address, an email is sent to the user to enroll the 
device. 


Bulk User Upload 


SEM offers the option to upload users in bulk. With this feature, the admin can import a 
CSV file containing a list of users in SEM. 


Importing Users 
You'll be able to import users with the following steps: 


1) Navigate to the Users tab, and from the New drop-down, click Import from CSV. 
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20 


Total Users 


New ¥ 


STATUS Dese ASSETS MODIFIED ON 

Active use 0 Jan 06, 2022 
STATUS 12:51:50 PM IST 
a a6 Active AkashM E Jan 05, 2022 


Inactive 2 


11:33:27 AM IST 
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SEM User Management 
Bulk User Upload 


2) You can download a sample template CSV file by clicking the Download link from the 
Import Users page. 


© Qualys. express 


| 


| < Import Users 


STEPS 1/2 


@ Fie upload 


Review Users Data 


File Upload 


You can download the template of the .CSV file and system will help verify the data 
before uploading pre-approved assets data in the system. 


Ci] Download Sample Template 
Download the sample template file to understand the expected format 
of information in .csv file. Learn More 


Download 


Drag and drop a .csv file to the designated area below 


browse 


Send asset enrollment details 


Your organization is set up 
user, they will not be able to 


enrollment details via email. If the email ID is missing for the 
the enrollment details. 


To upload the users in SEM, make sure you have met the following conditions: 


Bai 


- The file you are uploading must be in CSV format (tab or comma delimited) 


- The file must contain 1 row of information for each user that needs to be 


registered/enrolled 


- The first row contains the column titles/attributes 


- If mandatory fields are left blank or file contains duplicate data; you will be informed of 
the line numbers and data that needs to be fixed. Data will be saved only when all the 
errors are cleared 


- Make sure you have the latest CSV file format. Refer to the following table to fill the 
correct information in the CSV file: 


Fields Mandatory Validations 
/ Optional 
Username Mandatory Should be alphanumeric and ‘+’, ‘@’,‘’, ‘_’, ‘-' these five 
characters are allowed. 
Must be at least 6 characters in length and maximum 
250 characters are allowed. 
First_ Name Optional Should be alphanumeric. Must be at least 2 characters 
in length and maximum 250 characters are allowed. 
Middle_Name Optional Should be alphanumeric. Must be at least 2 characters 
in length and maximum 250 characters are allowed. 
Last_Name Optional Should be alphanumeric. Must be at least 2 characters 
in length and maximum 250 characters are allowed. 
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SEM User Management 
Bulk User Upload 


Fields Mandatory Validations 
/ Optional 
Email_I] Optional Must be in standard email format. 


For example: yourname@yourdomain.com 


Contact Number Optional Should be numeric. Must be at least 4 digits in length. 


EULA 


Optional If EULA is configured for your organization, then only 
EULA will be mandatory, else optional. It should be 
alphanumeric, and the EULA name is case sensitive. It 
must be at least 6 characters in length. 

Note: EULA should exist. 


Maximum Mandatory Should be numeric. Must be greater than zero. 
Enrollable Assets 


Status Mandatory Copy and paste the status as mentioned. This field is 
case sensitive. Status can be Active or Inactive. 

Tag Optional Should be alphanumeric and Tag name is case- 
sensitive. 


If your CSV file is not proper (invalid), click the View Errors link to see the Error List page 
with a list of errors in the CSV file. Following is the screen for sample errors: 


Error List 


e have high 


Anil S Vighne AnilVighne.. anilvighne. testeula 200 Active SEM.tag01,tag02 


ighted errors found in the .csv file. Please rectify these errors and re-upload the 


Vighne Ankush777_ avighne@q.. - testeula 100 Inactive SEM,tag01,tago2 


24 
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Bulk User Upload 


3) Click Next after uploading a valid CSV file. Review the user list and click Import Users 
to upload the users. 


< Import Users 


AnilVighne... anilvighne_. 
Vighne Ankush777 avighne@q- - 


< import Users 


SONTACT NUMBER BL 


AnitVighne.._anilvighne_ 
Ankush777 avighne@q_ - 
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Mobile Device Inventory 


Once the SEM users enroll their mobile devices, you can view the list under the Inventory 
tab. 


Refer to Device Enrollment to enroll the mobile devices. This gives you in-depth visibility 
of all mobile devices across your enterprise, including their configuration and installed 
applications. 


Select the Asset option to view the assets details and security posture in your inventory. 
You can use the various metadata filters, group by options, and custom query capabilities 
to find what you are interested in. 


| Secure Enterprise Mobility v DASHBOARD INVENTORY VULNERABILITIES MONITOR POLICY USERS REPORTS CONFIGURATIONS Sg 


Inventory 


< 
5 
u 


25 E 


Vulnerability papp Y| | V Fitters ¥ 1-28 of 25 


Total Assets 


STATUS ASSET MODEL USER LASTSEEN TAGS CONTROLS EVALUATED VULNERABILITIES 


| Enrolled PiyushSonawane_IP... © iPad = Jan07, 2022 SEM 1 1 
STATUS besteed e Ee Total E 
De-errolled 14 
E sy Enrolled PiyushSonawane_An.. 5 SM-G973F = Jan07, 2022 sm 0 1 
PLATFORM ice - E 
Android 13 ` Ge a 

Enrolled PiyushSonawane_IP.. @ iPhone 12 - Jan 07, 2022 sem 

ios 12 Tastee aly Gd BEE —— — 
OWNERSHIP 


ge gei 18 Enrolled PiyushSenawaneAn.. Ñ Lenovo TE-7504X - Jan 07, 2022 sm E 14 


Employee-Owned 7 


With quick actions for a specific asset, you can view the details for the asset, deactivate 
the asset or send the message. 


The asset listing provides a holistic view of all assets with a number of vulnerabilities for 
the asset. It also gives status details with a number of assets such as enrolled, de-enrolled, 
and ready for re-enrollment. 


- Enrolled: Device is ready for management 
- De-enrolled: Corporate data is deleted, and the device is being not managed 
- Ready for Re-enrollment: Device is added but currently not managed 


Assets are also segregated based on platforms, ownership, tags, and whether it is 
vulnerable or not. 
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Click a particular asset to view the asset details. 


@ Qualys, Express 


¥ INVENTORY 
Asset Summary 
System Information 
Network Information 
Asset Settings 
Installed Applications 
CA Certificates 


Location 


Y SECURITY 
Vulnerabilities 


Security Tokens 


Y MANAGEMENT 
Actions 


Logs 


It includes: 


Inventory 


Asset Summary 


‘ei  mitchell_Android_Google ` 
W Last Seen: Dec 22, 2020 11:51:47 AM IST (6 hours ago) 


Status: Enrolled 


Identification 
Mode: 
Ownership 
IMEI: 

MAC Address: 
UDID: 

Asset ID: 
Usermame: 
GSFID: 


Enrolled with SEM EMM: 


Security Posture 
Vulnerable 
Encryption 


Unauthorized Root Access: 


Active 

Corporate- Owned 

351564321421919 

08:00:27:EC:EC:78 

‘TADCDAO1 65003C0B0B94674472F3CO0EDF86A587 
61522 

msingh 

3d7cced1238e160e 


Yes 


No 
No Encryption 


No 


€ Asset Details: mitchell_Android_Google 


Last Location 


MAC address: 08:00:27:EC:EC:78 
Location: -- 


Tags 


- Asset Summary: Summary view with security posture 


Mobile Device Inventory 


A 


- System Information: Inventory information which includes specifications and hardware 


details 


- Network Information: Network information which includes the cellular and Wi-Fi 


information 


- Asset Settings: Displays last synced configurations for settings that may make the device 
vulnerable, such as developer option settings, USB debugging, etc. 


- Apps: Get visibility into the list of apps installed on the device 


- CA Certificates: Displays list of CA certificates issued for the device 


- Location: Displays device location over the period of time 
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Mobile Device Inventory 


Security 
- Vulnerabilities: Displays vulnerabilities on the device with severity levels and status 


- Security Tokens: Displays list of security tokens used in the device 
Management 


- Actions: Lists various actions that can be performed on the device 


- Logs: Displays various audit logs, sent messages and diagnostic logs 
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Vulnerability Assessment in SEM 


Vulnerability Assessment 


Qualys Vulnerability Assessment is a cloud-based service that gives you immediate, global 
visibility into where your IT systems might be vulnerable to the latest Internet threats and 
how to protect them. It helps you to continuously identify threats and monitor the 
unexpected changes in your network before they turn into breaches. 


Vulnerability Assessment in SEM 


Vulnerability Assessment in SEM gives you visibility into mobile devices vulnerable to 
threats due to outdated OS. 


On enrollment, vulnerability scanning is done for each mobile device. Within a couple of 
minutes, the vulnerability is evaluated, and you can see the detected vulnerabilities. We 
have the best coverage of vulnerabilities of Android and 10S, it includes: 


Device vulnerabilities including vulnerable OS versions with CVEs details. We cover OS 
vulnerabilities from 2016 to the latest for Android and iOS, which helps you secure from 
the attacks, as explained above. It also detects the OS vulnerabilities exploits too. 


Detection of Jailbreak/Rooted devices, Encryption disabled, Password removed/disabled. 


For App vulnerabilities, we detect the CVE of the vulnerable apps, such as the Google 
Chrome application vulnerabilities shown in the above example and detect the potentially 
harmful applications. We cover the application’s vulnerabilities from 2016 till the latest. 


We detect the devices connected to an open Wi-Fi network for network vulnerabilities. 


For Android, if the device manufacturers such as Samsung, Google, LG, and Huawei have 
published the advisory of security updates for such devices, the QIDs are marked as 
Confirmed, and for the rest of the devices, the QIDs are marked as Potential. 
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Vulnerability Assessment in SEM 


Navigate to the Vulnerabilities tab to see the list of vulnerability detections for the mobile 
devices. 


` Secure Enterprise Mobility H DASHBOARD INVENTORY VULNERABILITIES MONITOR POLICY USERS REPORTS CONFIGURATIONS 


Vulnerabilities Vulnerabilities 


Vuherabilty 


293 


| Group By: .. 1-500f 293 8 
Total Detections ——— 
WI mE SEVERITY RELEASED ON LAST DETECTED ASSET PATCH 
610059 Google Android Devices August 2019 Security... NINN ‘Aug 01, 2019 Jan 06,2022 PiyushSonawane Android... — 
SE Active 6:56:13 PMIST Enrolled 
SEVERITY 
5 182 610143 Google Android Devices September 2018 Secu.. MEME Sep 01,2018 Jan 06,2022 PiyushSonawane_Android_... S 
F 75 Active 6:56:13 PMIST Enrolled 
2 a 
9 610052 Google Android Devices January 2019 Security.. NINN Jan 01,2019 Jan 06,2022 PiyushSonawane_Android_... e 
Active 6:56:13 PM IST Enrolled 
CATEGORY 610055 Google Android Devices April 2019 Security Pa... NIN Apr 01, 2019 Jan 06,2022 PiyushSonawane_Android_... S 
Mobile Device 249 dete 6:56:13 PMIST Enrolled 
Lien 2 610061 Google Android Devices October 2019 Security.. "e Oct 01, 2019 Jan 06,2022 PiyushSonawane_Android_... y 
Active 6:56:13 PMIST Enrolled 
TYPE DETECTED 
S SE 610144 Google Android Devices October 2018 Security... Oct 01, 2018 Jan 06,2022 PiyushSonawane_Android_... S 
Potential = Active 6:56:13 PMIST Enrolled 
610145 Google Android Devices November 2018 Secur... Nov 01,2018 Jan 06,2022 PiyushSonawane_Android_... e 
PATCHABLE Active 6:56:13 PMIST Enrolled 
ve ae i 610054 Google Android Devices March 2019 Security — Mar 01, 2019 Jan 06, 2022 PiyushSonawane_Android_... S 
e Active 6:56:13 PMIST Enrolled 
PLATFORM 610053 Google Android Devices February 2019 Securit... Feb 01, 2019 Jan 06, 2022 PiyushSonawane_Android_... 
Ge aA Active 6:56:13 PMIST Enrolled 
ES Ges 610060 Google Android Devices September 2019 Secu... Sep 01,2019 Jan 06,2022 PiyushSonawane_Android_.. S 
Active 6:56:13 PMIST Enrolled 
TYPE 
v 610146 Google Android Devices December 2018 Secur... Dec 01,2018 Jan 06,2022 PiyushSonawane_Android_.. 


Click a particular QID to view the vulnerability details. 


D Qualys. cloud Platform 
© Vulnera Security Patch Mis: 
VIEW MODE ABOUT ASSET 
Detection Summary Patch N 
Detection Summary Swapnil_Android_OnePlus 
PERETE ECEE i] Last Seen:Jul 22, 2021 7:29:16 PM | 
Google Android Devices February 2021 Security Patch Missing Status: Enrolled 
Exploitability QID: 610317 Active 
S i Identification 
Patches Last Found on Apr 20, 2021 4:51:02 PM IST. II 
Mode: Active 
Malware 
Vulnerability Result Ownership Corporate- owned 
we 
‘Android Security Patch Level on Device : 2021-01-01 Required Patch Level : 2021-02-01 
MAC Address: AA:C4:0C:D9:C4:DA 
uom 
Vulnerability Description D93EB2COF6817B0F497ADA405198D12A47F3EC96 
AssetiD. 256399820 
Android is a mobile operating system based on a modified version of the Linux kernel and other open source software, designed primarily for 
touchscreen mobile devices such as smartphones and tablets. Username: sahimao 
Following security issues were discovered: 
CVE2020:11297,CVE202011296,CVE-2020-11269,CVE:2020:11 177, CVE 2020-11170;CVE-2021-0329,CVE 2021-0328 CVE-2021-0305;CVE- Activity 
2021-0302, CVE-2017-18509,CVE-2020-1 1 180,CVE-2021-0325,CVE-2021-0327,CVE-2021-0326,CVE-2021-0341,CVE-2021-0340,CVE-2020- 
11187,CVE-2020-1 1280,CVE-2020-1 1281,CVE-2020-11282.CVE-2020-11283,CVE-2020-11286,CVE-2020-11287,CVE-2021-0338,CVE-2021- Last Seen: Jul 22, 2021 7:29:16 PM IST 
0339,CVE-2021-0314,CVE-2020-11 1 63,CVE-2021-0332,CVE-202 1-0333,CVE-2021-0330,CVE-2021-0331,CVE-2021-0336,CVE-2021-0337,CVE- aye 
2021-0334, CVE-2021-0835,CVE-2020-11253,CVE-2020-11278,CVE-2020-11271 ,CVE-2020-11270,CVE-2020-11272,CVE-2020-11275,CVE-2020- EE EE 
191277,CVE-2020-11276 S Modified On: 


Vulnerability details include the following: 
- Detection Summary: Displays vulnerability detected 
- General Information: Displays vulnerability summary with possible threats and solution 


- Exploitability: Lists known exploits for this vulnerability available from third-party 
vendors and/or publicly available sources 


- Patches: Displays available patches for this vulnerability 


- Malware: Displays any published malware, where you can assess its malware family and 
risk 
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Vulnerability Assessment in SEM 


Tell me about Severity Levels 


The severity level assigned to a vulnerability tells you the security risk associated with its 
exploitation. 


Confirmed Vulnerabilities 


Confirmed vulnerabilities (QIDs) are the design flaws, programming errors, or 
misconfigurations that make your mobile device susceptible to malicious attacks. 
Depending on the level of the security risk, the successful exploitation of a confirmed 
vulnerability can vary from the disclosure of information to a complete compromise of 
the mobile device. Even if the device isn't fully compromised, an exploited confirmed 
vulnerability could still lead to the mobile devices being used to launch attacks against 
users of the mobile device. 


Severity Level Description 


Basic information disclosure might enable intruders to discover other 
H Minimal vulnerabilities, but lack of this information does not make the vulnerability 
harder to find. 


Intruders may be able to collect sensitive information about the mobile device, 
such as the precise version of software used. With this information, intruders 

bp Medium can easily exploit known vulnerabilities specific to software versions. Other 
types of sensitive information might disclose a few lines of source code or 
hidden directories. 


Vulnerabilities at this level typically disclose security-related information that 
nm Serious could result in misuse or an exploit. Examples include source code disclosure 
or transmitting authentication credentials over non-encrypted channels. 


Intruders can exploit the vulnerability to gain highly sensitive content or affect 


bn Critical other users of the mobile device. Examples include certain types of cross-site 
scripting and SQL injection attacks. 
Intruders can exploit the vulnerability to compromise the mobile device's data 
EHEHEHE Urgent store, obtain information from other users’ accounts, or obtain command 


execution on a host in the mobile device's architecture. 


Potential Vulnerabilities 


Potential Vulnerabilities indicate the observation of a weakness or error commonly used 
to attack a mobile device are unable to confirm if the weakness or error could be 

exploited. Where possible, the QID's description and results section include information 
and hints for following up with manual analysis. For example, the exploitability of a QID 
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may be influenced by characteristics that cannot be confirmed, such as the native 
Android vulnerabilities which might be present on the Android manufacturer's devices for 
which advisory is not published. 


Severity Level Description 


Presence of this vulnerability is indicative of basic information disclosure and 
might enable intruders to discover other vulnerabilities. For example in this 
scenario, information such as web server type, programming language, 
passwords or file path references can be disclosed. 


| Minimal 


Presence of this vulnerability is indicative of basic information disclosure and 
Ei Medium might enable intruders to discover other vulnerabilities. For example version of 
software or session data can be disclosed, which could be used to exploit. 


Presence of this vulnerability might give access to security-related information 

rn rg to intruders who are bound to misuse or exploit. Examples of what could 
happen if this vulnerability was exploited include bringing down the server or 
causing hindrance to the regular service. 


Hii Critical Presence of this vulnerability might give intruders the ability to gain highly 
sensitive content or affect other users of the mobile device. 


Presence of this vulnerability might enable intruders to compromise the 
mobile device's data store, obtain information from other users’ accounts, or 

(i è Urgent obtain command execution on a host in the mobile device's architecture. For 
example in this scenario, the mobile device users can potentially be targeted if 
the device is exploited. 


Information Gathered 


Information Gathered issues (QIDs) include visible information about the mobile device's 
platform, OS version, model, and installed security patch level. 


Severity Level Description 
Sc Intruders may be able to retrieve sensitive information related to the mobile 
Minimal : 
ww device. 
ap Médium Intruders may be able to retrieve sensitive information related to internal 


functionality or business logic of the mobile device. 


Intruders may be able to detect highly sensitive data, such as personally 
identifiable information (PII) about other users of the mobile device. 


a iw Serious 


Tell me about vulnerability status 


You'll see the status of the detected vulnerabilities under Inventory > Vulnerabilities tab. 
We continuously update the status of detected vulnerabilities based on the mobile asset 
data synced as per the asset sync interval. 


Each vulnerability instance is assigned a status - New, Active, Fixed, or Reopened. 
New - The first time a vulnerability is detected by a scan, the status is set to New. 


Active - A vulnerability detected by two or more scans is set to Active. 
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Fixed - The most recent scan verified a vulnerability as fixed, and this vulnerability was 
detected by the previous scan. 


Reopened - The most recent scan reopened a vulnerability, and this vulnerability was 
verified as fixed by the previous scan. The next time the vulnerability is detected by a 
scan, the status is set to Active. 
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Patch Management 


For the Android public app (Google Play Store) vulnerabilities, you can patch them using 
the Patch Now option. The Patch Now button will be enabled only for the patchable 
vulnerabilities. This option updates the application to the latest version. 


Secure Enterprise Mobility v DASHBOARD INVENTORY VULNERABILITIES MONITOR POLICY USERS REPORTS CONFIGURATIONS E 
Vulnerabilities Vulnerabilities H 
Vunerabilty v Q Search ss LC 
293 Goupay.. ¥| | P Fites v | 1-50 of 293 
Total Detections ee 
OD TME SEVERITY RELEASED ON LASTDETECTED ASSET PATCH 
610059 Google Android Devices August 2019 Security.. SMH Aug 01, 2019 Jan 06, 2022 PiyushSonawane_Android_.. 
Active 65613 PMIST Enrolled 
610143 Google Android Devices September 2018 Secu.. EEEE Sep 01, 2018 Jan 06, 2022 PiyushSonawane_Android_... Patch No 
Active 65613 PMIST Enrolled — 
610052 Google Android Devices January 2019 Security.. "ci Jan 01,2019 Jan 06, 2022 PiyushSonawane_Android_... Se 
Active 65613 PMIST Enrolled — 
610055 Google Android Devices April 2019 Security Pa.. EEEEE Apr 01,2019 Jan 06, 2022 PiyushSonawane_Android_... Se 
KEE Active 65613 PMIST Enrolled 2s 
Node hopin 610061 Google Android Devices October 2019 Security... "rr: Oct 01,2019 Jan 06, 2022 PiyushSonawane Android. > 


Click Patch Now to update the particular application. This opens the Deployment Job 
wizard. 


© Qualys. Express 


< Create New: Deployment Job 


STEPS 1/6 
Basic Information 
C+) Basic Information Create this deployment job by selecting assets and patches to be installed. Also, define the deployment schedule and configure 


message options you want to display as reminders. 
2 QIDs 


Select Assets Name * 


Schedule My_Deployment_Job 


5 Options 


Review and Confirm 
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Provide the name for the deployment job and click Next. 


© Qualys. Express 
<€ Create New: Deployment Job 
STEPS 2/6 
QIDs 
Basic Information Patchable QIDs for this job 
ops 
Selected QIDs (1) 
` Select Assets S 
ow mt CVEIDS SEVERITY 
4 Schedule 
630147 Firefox For Android Improper Restriction of Rendered UI Vulnerability CVE-2020-6827 an 
5 Options CVE-2020-6828 
` Review and Confirm 
Associated QIDs (11) 
om mt KO SEVERITY 
630355 Firefox For Android Incorrect Authorization Vulnerability CVE-2018-12391 anne 
630356 Firefox For Android Exposure of Sensitive Information Vulnerability CVE-2018-12400 CO 
630301 Firefox For Android Permission Issues Vulnerability CVE-2016-9061 annn 
630049 Mozilla Firefox For Android Out of Bounds Memory Write Vulnerability CVE-2018-5146 III) 
CVE-2018-5147 
630390 Mozilla Firefox For Android Improper input Validation Vulnerability CVE-2018-12382 GEI 
630003 Mozilla Firefox For Android Remote Code Execution Vulnerability CVE-2016-5267 BR 
630007 Mozilla Firefox For Android Remote Code Execution Vulnerability CVE-2016-1780 nn 
CVE-2016-2810 
Tron 
630010 Mozilla Firefox For Android MITM Vulnerability CVE-2016-1948 mn 
630011 Mozilla Firefox For Android Remote Code Execution Vulnerability CVE-2016-1940 ann 
CVE-2016-1943 


This shows the selected QIDs and the associated QIDs. Click Next. 


Select Assets 


1-1lof1 


SSE MODEL Si LAST SEEN 


as3_Android_One...  ONEPLUS A6010 Dec 16, 2020 
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Click Select Assets and select the assets you need to apply patches. Click Add to add the 
selected assets, and then click Next. 


< Create New: Deployment Job 


STEPS 4/6 
Schedule deployment 


Basic Information Schedule the deployment job to run on the demand or as per schedule. 
QiDs 

On Demand Ea On Demand: this assessment will run once enabled 
Select Assets 


Schedule START DATE START TIME 
12/17/2020 | 2:23pm © 


5 Options 


e Review and Confirm TIMEZONE 


By default the system will use the server timezone. Set timezone 


Click On Demand to run the job and click Schedule to schedule the deployment job in the 
future. Click Next. 


© Qualys. Cloud Platform 


< Create New: Deployment Job 


STEPS 5/6 Deployment Communication Options 


Configure communication messages and it's frequency for patch deployment. For default 
Basic Information configurations, refer Online Help. 


QIDs 


Select Assets Deployment Messages 


Configure Deferment for Deployment 
Configure display messages, and it's frequency for deferment. 


Schedule 


Options 


Configure Enforcement for Deployment 
r Review and Confirm Configure display messages, and it's frequency for enforcement. 


TITLE * 


Patch Vulnerability 


MESSAGE * 


As per corporate policy, update the following vulnerable apps. 


E 
193/255 characters remaining 


Start Enforcement In * 


5 
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If you enable the Configure Enforcement for Deployment option, you must configure the 
title, message, and time to enforce the deployment. 


If you don't configure the enforcement, the default title and message will be displayed. 
The default enforcement starts in 5 minutes. 


© Qualys. Expres: 
< Create New: Deployment Job 


STEPS 5/6 Deployment Communication Options 


Configure communication messages and it's frequency for patch deployment. For default 


configurations, refer Online Help. 
Basic Information 


GE Deployment Messages 


Select Assets 
Configure Deferment for Deployment ck) 


Schedule Configure display messages, and it's frequency for deferment 


Options 


TITLE * 


Review and Confirm 


MESSAGE * 


255/2 
DEFERMENT * Number of Deferments * 
Remind in 1 Hours 8 times 
Configure Enforcement for Deployment €D 


Configure display messages, and it's frequency for enforcement. 


Deployment communication options are optional to configure. If you enable the Configure 


Deferment for Deployment option, you need to configure the title, message, deferment, 
and the number of deferments. 


If you don't configure the deferment, the default title and message will be displayed. The 


default deferment is reminded after every 1 hour and for a maximum of 8 times before 
enforcement. 


If you don't configure both deferment and enforcement, the default deferment with the 


default title and message is displayed. The default deferment is reminded after every 1 
hour and for maximum of 8 times before enforcement. 


After default deferment, default enforcement will be applied. 


Click Next to review your selection. Click Save to complete the deployment job. 
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You can check the status of the deployment job on the Jobs tab. 


Patch Management 


Secure Enterprise Mobility v 


Vulnerabilities Vulnerabilities 


17 


Total Jobs 


STATUS 


Completed 
Enabled 


SCHEDULED 


On-demand 


Once 


v| Q Search 


STANUS 
Completed 


Enabled 


Completed 


NAME 


TimeZoneJob 
Update Application Job 


disabledJob 
Update Application Job 


jobt 
Update Apglication Job 


DASHBOARD 


CREATED BY 


sem_vg7l 
Jan 05, 2022 
25:47 PM IST 
sem_vg71 


Jan 04, 2022 
636:57 PM IST 


sem_vg71 
Jan 04,2022 


11:2453 AM IST 


INVENTORY VULNERABILITIES 


SCHEDULE 


Once 
Jan 05, 2022 
8:2532PM 


Once 
Jan 12,2022 
2-00.00 AM 


Once 
Jan 04,2022 
12428. AM 


MONITOR 


POLICY USERS 


H 


630652 


630453, 


690529 


Thee. 


Job status shows various statuses for deployment jobs. 
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REPORTS 


CONFIGURATIONS 


ASSETS 


PENDING 


+e 


1-17 of 17 


RESULT 
HI 


0 


BH 
0 


Configuration Assessment for Mobile Devices 
Policy Actions 


Configuration Assessment for Mobile Devices 


You can perform the configuration evaluation against best practices for the Android and 
iOS platforms. Currently, most of the configuration details are collected in SEM. However, 
you have to go to individual assets and verify the status of that particular configuration. 


The configuration assessment shows the assets and their misconfigurations, which help 
you take necessary action on such devices. It also ensures that the assets do not undergo 
any attack or vulnerability due to misconfigurations. 


This feature 1s available in the VMDR Mobile Device bundle. 


Policy Actions 
Qualys SEM provides some default out-of-the-box policies for Android and iOS platforms. 


Every policy has one or more controls assigned to it. Controls define what evaluation 
should be performed on an asset. Based on the evaluations performed on the assets, the 
pass or fail status for the assets is displayed. 


These policies are associated with every asset that is enrolled in SEM. Based on the 
platform selected DOS or Android), these policies are automatically evaluated with every 
asset enrollment. Once a policy is enabled for an asset, you can view the compliance 
posture in the Monitor tab. 


Supported policies are: 

- 10S Best Practices 

- Android Best Practices 

Navigate to the Policy tab to view all the policies supported by Qualys SEM. 
You can perform the following actions on a Policy: 


- Create a policy: create customized policies for Android and iOS platforms for required 
controls and associate them with assets to evaluate them later. 


- View a policy: view details of a policy anytime. 

- Edit a policy: edit a policy to update any details, assets, or controls information. 
- Deactivate a policy: deactivate an active policy. 

- Delete a policy: delete an existing policy. 

- Evaluate a policy: evaluate an existing active policy. 

- Activate a policy: activate an inactive policy. 


For more information and detailed steps, refer to the Policy Actions section in the Online 
Help. 
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Monitor Controls 


Every policy has one or more controls assigned to it. The controls define what evaluation 
should be performed on an asset. The controls are validated by evaluating the assets, and 
then the pass or fail status of the assets is displayed. SEM supports system-defined 
controls. The Policy > Controls sub-tab lists all controls and their details, such as control 
name, platform, the criticality of the control and so on. 


| Secure Enterprise Mobility v DASHBOARD INVENTORY VULNERABILITIES MONITOR POLICY USERS REPORTS CONFIGURATIONS 2 
Policy 
Q Search for C e 
24 1-24 of 24 
Total Controls 
mm CONTROL NAME PLATFORM CREATED BY MODIFIED BY ‘CRITICALITY 
20287 Status of the USB Support ® Android System System E 
A Policy: 1 Jan 11,2021 Jan 03, 2022 
eM 5:90:00 AM IST 5:90:00 AM IST 
Critical 13 
Urgent 9 20286 ‘Status of the Auto Sync Data ® Android ‘System System TEE 
Medium 1 Associated Policy: 1 Jan 11,2021 Jan 03, 2022 
Sais 4 System Defined 5:30:00 AM IST 5:30:00 AM IST 
20278 Status of the 'Use Location’ setting ` Android System System THE 
PLATFORM Associated Policy: 1 Jan11, 2021 Dec 27, 2021 
Android 20 system Defined 5:30:00 AM|ST 5:30:00 AM IST 
ios 4 
20284 Ensure the ‘Mock Location issett... @ Android System System E cica 
Associated Policy: 1 an 14,2021 Dec 24, 2021 
PoUICY system Defined 5:90:00 AM IST 5:30:00 AM IST 
Android Best Pra. 20 
08 Best Practices 4 20283 Ensure ‘Wi-Fi Sharing’ is set 10 Dis..  ® Android system system TEEN 
Associated Policy: 1 Jan11,2021 Dec 14, 2021 
System Defined 5:30:00 AM IST 5:30:00 AM IST 


Click on any control to view details specific to that control. 


vw 
Summary 
ring ‘Stats of the USB Support 
hc, Une 
D 
Identification 
w elen Te ssc Poin 
20287 Bag Syren Generated 1 
zent pas 
San 11,2021 5:39:00 AMIST Jan 03, 2022 5:30:00 AM IST 
‘Specification 
seusot hese Sapp 


Supported Version 
LG 


Rationale 


so Suppertenablee he anaterof dits and aftwar framm one device to another Ths sofware coninelude malware. When USE mass storage ie snabled ona moble devoe, thesomees potential vector for matvare and unauthorized dete enlation Prohibting USE mase storage rade mitigates thie riak. ie recommended ts dase the USD suppor if netrasuind: 


Reference 
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Configuration Assessment for Mobile Devices 
Re-evaluate Controls 


You can re-evaluate a control by selecting the Quick Actions menu next to the control 
name and clicking Re-evaluate. 


Secure Enterprise Mobility v 


Monitor 


20 


Total Evaluations 


PLATFORM 
Android 
ios 


POLICY 
Android Best Pra. 
JOS Best Practices 


CONTROL RESULT 
Passed 
Failed 


CRITICALITY 
Critical 
Urgent 
Medium 
Serious 


DASHBOARD INVENTORY VULNERABILITIES 


Asset v| Q Search 
75 0 
Total Failed Evaluations Controls Failed with High Criticality 
a [meas] [ee (eeng. ` 
RESULT co CONTROL NANE 
Passed 20270 Ensure device firmware is up to date 
Details Policy: Android Best Pr 5 
Passed 20279 Ensure the mobile device is encrypted 
Details Policy: Android Best Practices 
Passed 20273 Ensure the device is not rooted 
Detalls Policy: Android Best Practices 
Passed 20270 Ensure device firmware is up to date 
Details Policy: Android Best Practices 
Failed 18936 Status of the 
7 
Ke Policy: Andro] Quick Actior 
20451 Ensure Ste ven control 
Policy: Andkoil 
20287 Status of thd 
Policy: Adel 
Failed 20286 Status of the Auto Sync Data 
Details Policy: Android Best Practices 


MONITOR 


CO 2 
Last 15 Days Last 15, 
47 2 
Controls Failed Controls Reopened 
1-500f 202 OB w 
PLATFORM EVALUATED ASSET CRITICALITY 
D Android Last: Jan 09,2022 PiyushSonawane_Androi.. J Urgent 
First: Jan 03,2022 Employee- Owned 
Android Last: Jan 09, 2022 PiyushSonawane_Androi.. J Critics! 
First: Jan 03,2022 Employee- Owned 
Android Last: Jan 09, 2022 PiyushSonawane_Androi.. $ Ursent 
First: Jan 03,2022 Employee- Owned 
B Android Last: Jan 07,2022 Jim_Android_Xiaomi BB legen 
First: Jan 04,2022 ‘Corporate - Owned 
Android Last: Jan 07,2022 Jim_Android_Xiaomi Wien 
First: Jan 04,2022 Corporate - Owned 
® Android Last: Jan 07, 2022 Jim_Android_Xiaomi TEEN 
First: Jan 04,2022 Corporate - Owned 
Android Last: Jan 07, 2022 Jim_Android_Xiaomi Bien 
First: Jan 04,2022 Corporate - Owned 
We Android Last: Jan 07, 2022 Jim_Android_Xiaomi BR Serious 


zouen 


USERS REPORTS CONFIGURATIONS 


First: Jan 04, 2022 


Corporate - Owned 


After the re-evaluation, the control’s status is updated across the application. 
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Configuration Assessment for Mobile Devices 
Monitor Assets 


Click the Details link (below the Result status) to view the control evaluation details for an 
asset. 


[ Secure Enterprise Mobility ~ F DASHBOARD INVENTORY VULNERABILITIES MONITOR POLICY USERS REPORTS CONFIGURATIONS 


Monitor 


74 37 2 


Total Failed Evaluations Controls Failed with High Criticality Controls Failed Controls Reopened 


Total Evaluations 


PLATFORM [as 9 coe. - 1-50 of 203 


Android m 
ios 32 mam cin CONTROL NAME PLATFORM EVALUATED ASSET CRITICALITY 
Passed 20282 Ensure the Bluetooth is set to ‘Disabled’ Wh Android Last: Jan 12, 2022 Jim_Android_Xiaomi TEEN 
POLICY > 8 
Details Policy: Android Best Practices First: Jan 04,2022 Corporate- Owned 
Ge 
2 Failed 20285 Status of the Screen Reader setting fr Android Last: Jan 12,2022 Jim_Android_Xiaomi BW Medium 
Details Policy: Android Best Practices First: Jan 04,2022 Corporate- Owned 
GLANDS ESTs Passed 20284 Ensure the ‘Mock Location’ is set to 'Di... i Android Last: Jan 12,2022 Jim_Android_Xiaomi (EEN 
Passed 129 Details Folie Best Practices First: Jan 04,2022 Corporate - Owned 
Failed 7 
Failed 20281 Android Last: Jan 12,2022 B sen: 
CRITICALITY Details First: Jan 04, 2022 
Critical 7 Passed 20279 Android Last: Jan 12,2022 TEEN 
Ugen 88 Details First: Jan 04,2022 
Medium ° 
ae 2 Passed 20278 Status of the 'Use Location’ setting Android Last: Jan 12, 2022 Bo 
Detaile Policy: Android Best Practices First: Jan 04,2022 


Monitor Assets 


In the Monitor tab, you can monitor your compliance posture in real-time for each asset. 
Go to the Monitor > Assets sub-tab to view details such as asset, model, and evaluation 
status at a quick glance. 


Once the asset is on-boarded, then based on the platform, the best practices policies are 
automatically assigned to the assets and evaluated. After the evaluation, you can view the 
overall evaluation result in the Monitor tab. 


The controls are validated, and the Controls sub-tab displays the pass or fail status. 


From the Controls sub-tab, you can drill down to view details of each control and their 
pass or fail status. Click on the CID to view further specifications of the control. A CID is a 
unique ID assigned by Qualys to each control. 
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Configuration Assessment for Mobile Devices 
Monitor Assets 


Use Group By drop-down menu to view results for a specific selection. 


Secure Enterprise Mobility ¥ DASHBOARD INVENTORY VULNERABILITIES MONITOR POLICY USERS REPORTS CONFIGURATIONS 3 


K 
© 


Monitor 


DI 
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Total Evaluations 


Last 15 Days Last 15 Days 


30 


Controls Failed with High... 


15 


Controls Failed 


25 


Control Reopened 


Total Failed Evaluations 


E D zen: EE EE 
Android 44 
10s 60 RESULT ` om CONTROL NAME EVALUATED ASSET CRITICALITY 
POLICY Failed 70001 Status of USB Debuggi Last: Apr 21,2020 ` USPODO2_Android_Smasung MM ua 
Android Best Practices 44 Details Policy: Android Best Practic| First: Apr 21,2020 Corporate: Owned 
iOS Best Practices 60 
CONTROL RESULT Failed 70002 Ensure ‘Screen Lock’ is Last: Apr 21,2020 ` USPODO2_i0S Apple_adm1... $ High 
Passed 34 Details Policy: iOS Best Practices First: Apr 21,2020 Corporate: Owned 
Failed 70 
Failed 70003 Ensure Developer Options’ ... Android Last: Apr 21, 2020 USPODO2_Android_Smasung $ Hioh 
CONTROL CRITICALITY Details Policy: Android Best Practices First: Apr 21, 2020 Corporate: Owned 
High 104 
Failed 70004 Ensure device is notjailbrk... és Last: Apr 21,2020 USPOD02_iOS_Apple_adm... $ High 
Details Policy: iOS Best Practices First: Apr 21, 2020 Corporate: Owned 
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Dashboards and Reports 
Dashboards 


Dashboards and Reports 


This section helps you monitor and analyze various dashboards and reports for the mobile 
assets. Once device enrollment is complete, you can configure various dashboards to view 
mobile asset’s data and their details. 


Dashboards 


Dashboard gives you a quick one-page summary of your overall security posture, based on 
your mobile asset’s most recent vulnerability scan results. 


Get Started with SEM Dashboard 


Go to Dashboard to see a complete and continuously updated view of all your mobile 
assets in one place within the SEM application. 


Secure Enterprise Mobility v DASHBOARD INVENTORY VULNERABILITIES MONTOR POLICY USERS REPORTS CONFIGURATIONS 


DISTRIBUTION BY OPERATING SYSTEM 
B ergiope -omete 


B toore- Owned: 5 


You can create a new dashboard, and edit or delete existing dashboards. You can include 
various widgets on your dashboard. 
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Dashboards and Reports 
Reports 


Select the SEM Mobile Vulnerability Management template. 


Secure Enterprise Mobility v TRIAL DASHBOARD INVENTORY VULNERABILITIES MONTOR POLICY USERS REPORTS CONFIGURATIONS 


SEM Mobile Vulnerability Management v 


$ 


FIKED VULNERABILITIES 


53 


‘VULNERABILITIES BY SEVERITY CVE BY SEVERITY 
e D 
S 
Se = 3 | 
D 
a 


VM dashboard template provides complete visibility of mobile vulnerabilities. 


Reports 


This section helps you to view Audit Log reports. An audit log report is the logs of the 
actions performed on the SEM portal. 


Go to the Reports tab to analyze various audit logs in audit log reports related to device 
enrollment and user configurations. 


Secure Enterprise Mobility v DASHBOARD INVENTORY VULNERABILITIES MONITOR POLICY USERS REPORTS CONFIGURATIONS LR 


Audit Log RNs) 


q Last7Days e 3 
60 1-50 of 60 
Total Logs 

ENTITY OPERATION PORTAL USED PERFORMED ON USER 
Users Add- userTag Web Fortal Jan 06, 2022 

PORTAL USED : 

Web Portal 7 Devices Force De-enroll Device - Sumit_Android_Xiaomi Web Portal Jan 06, 2022 

Enrollment Portal 23 Reason: te P p 


Devices Force De-enroll Device - Sumit_Android_samsung Web Portal Jan 06, 2022 


Security Tokens 


Key Web Portal Jan 06, 2022 
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Dashboards and Reports 
Reports 


Appendix 
Renew APNs Certificate 


Appendix 


Renew APNs Certificate 


The validity of the APNs certificate is 365 days, so the administrator must renew the 
certificate after every 365 days. The Qualys SEM Portal notifies the administrator when the 
certificate expires via email. The administrator must renew this certificate before the 
certificate expires. If the certificate expires, the administrator might be unable to manage 
the Apple devices in their organization, resulting in the administrator having to manually 
de-enroll and then re-enroll all Apple devices in the system again. 


Steps to renew APNs certificate: 


1) Navigate to Configurations > APNs Configuration and click Renew. 


be 
© 
D 


Secure Enterprise Mobility v DASHBOARD INVENTORY VULNERABILITIES MONITOR POLICY USERS REPORTS CONFIGURATIONS 


Configurations NEW APNs Configuration CHE AL E E EE d 


1 


Total APNs 


1-1of1 


DUR DEALS DU) ID UPLOADED VAD TLL 


Active apncert @amail.com 1 Dec 24, 2021 Dec 24, 2022 
NO REMAINING FILTERS Latest @ UID com apple mamt External euch ides we 44237 PMIST 40241 PMIST 


Serial # = 
Renew 


47 


Appendix 
Renew APNs Certificate 


2) Download the Certificate Signing Request (CSR) file and click Next. You may skip this 
step if you have already downloaded the CSR. 


@ Qualys. Express 


€ Renew APNSs Certificate 


STEPS 1/3 8 

Download Request File 

You need to first generate a Certificate Signing Request (CSR) and download it. This CSR 
(1) Download Request File in the process of creating the APNs Certificate from Apple Push Certificate portal. 


2 Create Certificate 


3 Upload Certificate D Certificate Signing Request 


We use your organization's APNs certificate to send notifications to your iOS 
devices when information is requested from the device at intervals or on demand. 


If you do not already have a CSR file from SEM, please download it here. You will 
need this CSR to download an APNs certificate from Apple portal. 


Download CSR 


Cancel | Next | 


3) Click the Goto Apple Portal link to go to Apple Push Certificate Portal 
(https://identity.apple.com/pushcert/) 


© Qualys. Express 


€ Renew APNSs Certificate 


STEPS 2/3 


Create Certificate 
Download Request File Name 
Create Certificate my_apns | Provide a friendly name for your certificate. 
3 Upload Certificate 
Apple ID 
Apple ID Note: It can be any Apple ID and need 
not be an Apple Developer Account. 


Get your APNs certificate in 3 easy steps 


* Sign in to the Apple Portal g 
e Renew the currently uploaded certificate. For Gr 


renewal upload the certificate signing request 
* Download the renewed certificate ia 
For more information download the APNs certificate E 
generation guide, Learn More 


Cancel | Previous 


4) Login to Apple Push Certificate Portal using the same Apple ID and password that you 
used to create the APNs certificate. Locate the APNs certificate you want to use, and then 
click Renew. 


48 


Appendix 
Renew APNs Certificate 


Note: If multiple certificates are listed, please ensure that you have selected the correct 
APNs certificate that you would like to renew. 


You may compare the Serial # or expiration date for the APNs certificate that you selected 
to confirm that you are using the right certificate or compare the UID of the certificate. 


SES 
Apple Push Certificates Portal 
Certificates for Third-Party Servers 
Service Vendor Expiration Date* Status Actions 
Mobile Device Management Qualys Inc. Apr ?, 2020 Active ON 


5) Browse to locate the certificate file and then click Upload. 


iPhone iTunes Support 


Apple Push Certificates Portal manmayseomaicom GER 


Create a New Push Certificate 


Upload your Certificate Signing Request signed by your third-party server 
vendor to create a new push certificate. 


e ii 


Shop the Apple Online Store (1-800-MY-APPLE), visit an Apple Retail Store, or find a reseller Apple info Site Map Hot News RSS Feeds Contact Us S 
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Appendix 
Renew APNs Certificate 


6) In the confirmation window, download the PEM file to a known location. 


Store iPod iPhone iTunes Support 


Apple Push Certificates Portal ii 


Confirmation @ 


You have successfully created a new push certificate with the following information: 
Service Mobile Device Management 


Vendor Qualys Inc. 
Expiration Date Jun 12, 2020 


7) Now, go back to your Renew APNs Certificate wizard in the Qualys portal. The existing 
APNs Name and the Apple ID appears in the Create Certificate tab. 


© Qualys. Express 


< Renew APNs Certificate 


STEPS 2/3 r 
Create Certificate 
Download Request File Name 
Create Certificate my_apns Provide a friendly name for your certificate. 
3 Upload Certificate 
Apple ID 


Apple ID Note: It can be any Apple ID and need 
not be an Apple Developer Account. 


Get your APNs certificate in 3 easy steps 
* Sign in to the Apple Portal P 
* Renew the currently uploaded certificate. For CT 
renewal upload the certificate signing request L$ 
* Download the renewed certificate 
[a Goto Apple Portal 


For more information download the APNs certificate 
generation guide. Learn More 
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@ Qualys. Express 


Appendix 
Renew APNs Certificate 


8) Upload the certificate file (.pem) that you downloaded from the Apple portal. 


Download Request File 
Create Certificate 
Upload Certificate 


9) Enter the Qualys Portal password and Click Save. This APNs certificate is now listed in 


€ Renew APNs Certificate 
| 
STEPS 3/3 


Upload Certificate 


Upload APNs certificate you downloaded from Apple push certificate portal. 


Upload the certificate file (pem) that you downloaded from the Apple Portal 


a Drop file here to attach or browse 


a MDM. Qualys Inc._Certificate pam 


1 file 


e 


the APNs Configuration tab, and you can continue managing your Apple devices using this 
certificate. 
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